vrend: fix a stack overflow in set framebuffer state

Add the sanity check of the 'nr_cbufs' to avoid stack overflow. Signed-off-by: Li Qiang <liq3ea@gmail.com> Signed-off-by: Dave Airlie <airlied@redhat.com>
8 years ago · 926b9b3460
parent 747a293ff6
commit 926b9b3460
1 changed files with 4 additions and 0 deletions
--- a/src/vrend_decode.c
+++ b/src/vrend_decode.c
@ -136,6 +136,10 @@ static int vrend_decode_set_framebuffer_state(struct vrend_decode_ctx *ctx, int

   if (length != (2 + nr_cbufs))
      return EINVAL;
+
+   if (nr_cbufs > 8)
+      return EINVAL;
+
   for (i = 0; i < nr_cbufs; i++)
      surf_handle[i] = get_buf_entry(ctx, VIRGL_SET_FRAMEBUFFER_STATE_CBUF_HANDLE(i));
   vrend_set_framebuffer_state(ctx->grctx, nr_cbufs, surf_handle, zsurf_handle);